Client Access server %1 tried to proxy Exchange Web Services traffic to Client Access server %2. This failed because the ...

Client Access server %1 tried to proxy Exchange Web Services traffic to Client Access server %2. This failed because the authentication for the connection between the two Client Access servers failed. This may be due to one of these configuration problems:
1. The host name in %3 may not be registered as a Service Principal Name (SPN) with Kerberos on the target Client Access server. This usually happens because you used the IP address, instead of the host name, of the target Client Access server in the "internalHostname" configuration for the Exchange Web Services virtual directory on the target Client Access server. You can change the "internalHostname" configuration for the target Client Access server using the "Set-Webservicesvirtualdirectory" cmdlet. If you don't want to change the "internalHostname" configuration for the Exchange Web Services virtual directory on the target Client Access server, you can also use the tool "setspn.exe" on the target Client Access server to register additional SPNs for which that Client Access server will accept Kerberos authentication.
2. The server hosting %4 may be configured not to allow Kerberos authentication. It might be set to use "Integrated Windows" authentication for the /ews virtual directory, but be configured to only use NTLM (not Kerberos) authentication for Integrated Windows authentication. If you suspect this may be the cause of the failure, see the IIS documentation for additional troubleshooting steps.